Allow NFQUEUE 'bypass' in the policy file

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Rules.pm

@@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
+sub handle_nfqueue( $ ) {
-    my ($params, $allow_bypass ) = @_;
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -742,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
+	$policy = handle_nfqueue( $queue );
-				  0 # Don't allow 'bypass'
-	    );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -2704,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
+	$action = handle_nfqueue( $param );
-				  1 # Allow 'bypass'
-	    );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;

Shorewall/manpages/shorewall-policy.xml

@@ -131,7 +131,7 @@
         role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -236,7 +236,18 @@
                 given queues. This is useful for multicore systems: start
                 multiple instances of the userspace program on queues x, x+1,
                 .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                connection are put into the same nfqueue. Beginning with
+                Shorewall 5.1.0, queuenumber2 may be followed by the letter
+                'c' to indicate that the CPU ID will be used as an index to
+                map packets to the queues. The idea is that you can improve
+                performance if there's a queue per CPU. Requires the NFQUEUE
+                CPU Fanout capability in your kernel and iptables.</para>
+
+                <para>Beginning with Shorewall 4.6.10, the keyword <emphasis
+                role="bold">bypass</emphasis> can be given. By default, if no
+                userspace program is listening on an NFQUEUE, then all packets
+                that are to be queued are dropped. When this option is used,
+                the NFQUEUE rule behaves like ACCEPT instead.</para>
               </listitem>
             </varlistentry>